Seamless Campaign Delivers Ramnit Banking Trojan via RIG EK.

Recent threat hunting had led me to another Seamless gate which used RIG EK to deliver Ramnit banking Trojan. The Seamless campaign, which has been around since at least February 2017, has always Favorited Ramnit as its payload. Often the Ramnit payloads will download additional malware such as AZORult stealer.

The publisher (a website that displays adverts) that I used for this infection chain is very popular in Pakistan. In fact, Alexa ranks it within the top 50 in Pakistan and in the top 4,000 globally. Traffic estimates for the publisher shows that they received an estimated 4.1 million visitors in the last 30 days.

Below is an image of the infection chain being captured via Wireshark:

HTTP redirection chain Edited

I created a basic flowchart to make the redirection chain easier to follow:

flowchart

The publisher’s page source:

page source

go.oclasrv.com redirected, via a 302 Moved Temporarily, to onclkds.com:

go.oclasrv.com returns 302 found edited

go.oclasrv.com and onclkds.com are used by ad network Propeller Ads Media for ad serving.

I believe onclkds.com redirected to engine.spotscenered.info. Oddly enough, I couldn’t find any useful information about engine.spotscenered.info.

engine.spotscenered.info/link.engine redirects, via a 302 Found, to engine.spotscenered.info/Redirect.eng:

engine.spotscenered.info 302 found edited

engine.spotscenered.info/Redirect.eng returned a 200 OK with the following script:

200 OK

This redirected to xn--15-mmc.xn--p1acf/go2/index.php, which returned a 301 Moved Permanently that pointed to paremated-conproxy.com/voluum/ and JavaScript which grabs the time zone information from the user.

xn--15-mmc.xn--p1acf 301 moved permanently edited

The user’s time zone information is supposed to be POSTed back to the server, however, there was no POST request.

paremated-conproxy.com/voluum/ redirected to 15cen.redirectvoluum.com/redirect:

paremated-conproxy.com 200 OK edited

15cen.redirectvoluum.com/redirect redirected to the Seamless gate at 194[.]58[.]58[.]121/test3.php:

15cen.redirectvoluum.com 200 OK edited

test3.php returns an iframe that redirects to the RIG EK landing page at 188.225.85.82:

seamless gate iframe edited

The payload being pushed by the Seamless campaign is Ramnit banking Trojan.

File System

The payload was dropped in %Temp% and executed:

Temp1

bilonebilo619.exe sets the registry key “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\jfghdug_ooetvtgk”.

bilonebilo619.exe then creates a copy of itself in “C:\Users\[Username]\AppData\Local\mykemfpi\ufyqwfyv.exe”:

bilonebilo619.exe then creates a startup file at “C:\Users\[Username]\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ufyqwfyv.exe”:

startup

bilonebilo619.exe then sets AutoStart registry key “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UfyQwfyv”:

Run

bilonebilo619.exe then sets AutoStart registry key “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit”:

winlogon

Process “ufyqwfyv.exe” then creates another copy of itself file at “C:\Users\[Username]\AppData\Local\Temp\ebqvhrfc.exe”:

Temp 2

Process “ebqvhrfc.exe” creates file “C:\Users\[Username]\AppData\Local\Temp\lhxocmtw.exe”:

Temp 3

Process “svchost.exe” creates a .log file in “C:\ProgramData\cdprsxjy.log”:

programdata log file

Process “svchost.exe” then creates the .log files in %LocalAppData%:

localappdata

Process “svchost.exe” creates process “tracert.exe” and process “tracert.exe” sets registry key “HKCU\Software\AppDataLow\XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\Client”:

reg client edited

Network Based IOCs

Pre-infection:

  • 52.52.18.181 – paremated-conproxy.com – GET /voluum/
  • 52.9.71.23 – 15cen.redirectvoluum.com – GET /redirect
  • 194.58.58.121 – GET /test3.php – Seamless gate
  • 188.225.85.82 – IP literal hostname used by RIG EK

Post-infection via TCP port 443:

  • 46.165.254.211 – fejbmscsuruiow.com
  • 46.165.254.211 – anyaikyaeifcprlcrof.com
  • 195.38.137.100 – edbvkjmr.com
  • 194.87.94.11 – upwdodqrmjydqcys.com
  • 87.106.190.153 – bmtnnkvm.com

TCP Connections:

Remote Address: 46.165.254.211
Remote Port: 443
Process Name: svchost.exe
Process Path: C:\Windows\system32\svchost.exe
Remote IP Country: Germany

Remote Address: 195.38.137.100
Remote Port: 443
Process Name: svchost.exe
Process Path: C:\Windows\system32\svchost.exe
Remote IP Country: Germany

Remote Address: 194.87.94.11
Remote Host Name: ptr.ruvds.com
Remote Port: 443
Process Name: svchost.exe
Process Path: C:\Windows\system32\svchost.exe
Remote IP Country: Russian Federation

Remote Address: 87.106.190.153
Remote Port: 443
Process Name: svchost.exe
Process Path: C:\Windows\system32\svchost.exe
Remote IP Country: Germany

DNS queries and responses:

DNS queries and responses

Hashes

SHA256: 57438a61471d4da3550c8235dffd6836979057f0467e17d38887b1ad5b6c375d
File name: RigEK landing page.txt

SHA256: d0156d98de96e278938329e026c6992510e5931d13c7d36b3845e605c553661b
File name: RigEK Flash exploit.swf

SHA256: b793211fd7238fa5402a0bcdfb5a486dc31fd13b9bd58697ceb8328ab2cf6164
File name: bilonebilo619.exe
Hybrid-Analysis Report

Downloads

Malicious Artifacts 100417
Password is “infected”

References

A very detailed look at Ramnit:

  1. https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: